Department of Energy: Key Factors Underlying Security Problems at DOE
Facilities (Testimony, 04/20/99, GAO/T-RCED-99-159).

Pursuant to a congressional request, GAO discussed its past work
involving security at Department of Energy's (DOE) facilities.

GAO noted that: (1) GAO's work has identified security-related problems
with controlling foreign visitors, protecting classified and sensitive
information, maintaining physical security over facilities and property,
ensuring the trustworthiness of employees, and accounting for nuclear
materials; (2) these problems include: (a) ineffective controls over
foreign visitors to DOE's most sensitive facilities; (b) weaknesses in
efforts to control and protect classified and sensitive information; (c)
lax physical security controls, such as security personnel and fences,
to protect facilities and property; (d) ineffective management of
personnel security clearance programs; and (e) weaknesses in DOE's
ability to track and control nuclear materials; (3) the recent
revelations about espionage bring to light how ingrained security
problems are at DOE; (4) although each individual security problem is a
concern, when these problems are looked at collectively over time, a
more serious situation becomes apparent; (5) while a number of
investigations are under way to determine the status of these security
problems, GAO has found that DOE has often agreed to take corrective
action but the implementation has not been successful and the problems
reoccur; (6) there are two overall systemic causes for this situation;
(7) DOE managers and contractors have shown a lack of attention and
priority to security matters; (8) there is a serious lack of
accountability at DOE; (9) efforts to address security problems have
languished for years without resolution or repercussions to those
organizations responsible; (10) security in today's environment is even
more challenging, given the greater openness that now exists at DOE's
facilities and the international cooperation associated with some of
DOE's research; (11) even when more stringent security measures were in
place than there are today, problems have arisen and secrets can be, and
were, lost; and (12) consequently, continual vigilance, as well as more
sophisticated security strategies, will be needed to meet the threats
that exist today.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-RCED-99-159
     TITLE:  Department of Energy: Key Factors Underlying Security
	     Problems at DOE Facilities
      DATE:  04/20/99
   SUBJECT:  Security clearances
	     Nuclear weapons plant security
	     Internal controls
	     Facility security
	     Foreign governments
	     Computer security
	     Laboratories
	     Information leaking
	     Classified information
	     Atomic energy defense activities
IDENTIFIER:  Russia
	     China
	     DOE Initiatives for Proliferation Prevention Program

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
DEPARTMENT OF ENERGY: Key Factors Underlying Security Problems at
DOE Facilities GAO/T-RCED-99-159 United States General Accounting
Office

GAO Testimony Before the Subcommittee on Oversight and
Investigations,

Committee on Commerce, House of Representatives For Release on
Delivery Expected at 2: 00 p. m. EDT Tuesday April 20, 1999

DEPARTMENT OF ENERGY

Key Factors Underlying Security Problems at DOE Facilities

Statement of Victor S. Rezendes, Director, Energy, Resources, and
Science Issues, Resources, Community, and Economic Development
Division

GAO/T-RCED-99-159

  GAO/T-RCED-99-159

Mr. Chairman and Members of the Subcommittee: We are pleased to be
here today to discuss our past work involving security at the
Department of Energy's (DOE) facilities. These facilities,
particularly its nuclear weapons design laboratories and its
nuclear material and weapons production facilities, have long been
viewed by DOE and the FBI as targets of espionage and other
threats. Recent revelations of the possible loss of nuclear
weapons design and other classified information to foreign
countries have focused renewed attention on the effectiveness of
security at DOE's facilities and have prompted concerns at high
levels in the government, including the Administration and the
Congress.

To protect its facilities from security threats, DOE created a
multifaceted, defense- in- depth security strategy. Under such a
strategy, various lines of defense are used to protect classified
and sensitive information, nuclear materials, and equipment. Over
the last 20 years, we have performed numerous reviews of security
that, unfortunately, Mr. Chairman, show serious weaknesses in many
of these lines of defense that have lead to losses of classified
or sensitive information and technology.

In summary, Mr. Chairman, our work has identified security-
related problems with controlling foreign visitors, protecting
classified and sensitive information, maintaining physical
security over facilities and property, ensuring the
trustworthiness of employees, and accounting for nuclear
materials. These problems include:

 Ineffective controls over foreign visitors to DOE's most
sensitive facilities. We found in 1988, and again in 1997, that
foreign visitors are allowed into DOE's nuclear weapons design
laboratories with few background checks and inadequate controls
over the topics discussed, and that other security procedures,
such as access controls, to mitigate the risks from these visits
may not be fully effective. In addition, counterintelligence
programs to guard against foreign and industrial espionage
activities received little priority and attention.  Weaknesses in
efforts to control and protect classified and sensitive

information. We found one instance where a facility could not
account for 10,000 classified documents. In 1987, 1989, and 1991,
we reported that foreign countries routinely obtained unclassified
but sensitive information that could assist their nuclear weapons
capability. Earlier this year, we reported that under its program
with Russia to prevent proliferation, DOE

GAO/T-RCED-99-159 Page 1

may have provided Russian scientists with dual- use defense-
related information that could negatively affect national
security.  Lax physical security controls, such as security
personnel and fences, to

protect facilities and property. Our reviews of security personnel
have shown that these personnel have been unable to demonstrate
basic skills such as arresting intruders or shooting accurately;
at one facility, 78 percent of the security personnel failed a
test of required skills. Furthermore, we found that equipment and
property worth millions of dollars was missing at some facilities.
Ineffective management of personnel security clearance programs
has

been a problem since the early 1980s. Backlogs were occurring in
conducting security investigations, and later when the backlogs
were reduced, we found some contractors were not verifying
information on prospective employees.  Weaknesses in DOE's ability
to track and control nuclear materials. We

reported in 1980 and again in 1991 that, at some facilities, DOE
was not properly measuring, storing, and verifying quantities of
nuclear materials. Also, DOE was not able to track all nuclear
material sent overseas for research and other purposes.

The recent revelations about espionage bring to light how
ingrained security problems are at DOE. Although each individual
security problem is a concern, when these problems are looked at
collectively over time, a more serious situation becomes apparent.
While a number of investigations are currently underway to
determine the status of these security problems, we have found
that DOE has often agreed to take corrective action but the
implementation has not been successful and the problems reoccur.
In our view, there are two overall systemic causes for this
situation. First, DOE managers and contractors have shown a lack
of attention and/ or priority to security matters. Second, and
probably most importantly, there is a serious lack of
accountability at DOE. Efforts to address security problems have
languished for years without resolution or repercussions to those
organizations responsible.

Security in today's environment is even more challenging, given
the greater openness that now exists at DOE's facilities and the
international cooperation associated with some of DOE's research.
Even when more stringent security measures were in place than
there are today, such as those in effect during the development of
the first atomic bombs, problems have arisen and secrets can be,
and were, lost. Consequently, continual vigilance, as well as more
sophisticated security strategies, will be needed to meet the
threats that exist today. Mr. Chairman, we are concerned that,

GAO/T-RCED-99-159 Page 2

given DOE's past record, it may not be up to the challenge without
congressional oversight to hold it accountable for achieving
specific goals and objectives for security reform. Therefore, we
are pleased that the Committee has taken a special interest in
DOE's security problems and we have already begun to work on the
Committee's request to have us assess the current status of these
security problems.

Background DOE has numerous contractor- operated facilities that
carry out the programs and missions of the Department. Much of the
work conducted at

these facilities is unclassified and nonsensitive and can be, and
is, openly discussed and shared with researchers and others
throughout the world. However, DOE's facilities also conduct some
of the nation's most sensitive activities, including designing,
producing, and maintaining the nation's nuclear weapons;
conducting efforts for other military or national security
applications; and performing research and development in advanced
technologies for potential defense and commercial applications.

Security concerns and problems have existed since these facilities
were created. The Los Alamos National Laboratory in New Mexico
developed the first nuclear weapons during the Manhattan Project
in the 1940s; however, it was also the target of espionage during
that decade as the then Soviet Union obtained key nuclear weapons
information from the laboratory. In the 1960s, significant amounts
of highly enriched uranium a key nuclear weapons material was
discovered to be missing from a private facility under the
jurisdiction of the Atomic Energy Commission, a predecessor to
DOE. It is widely believed that in the early 1980s, China obtained
information on neutron bomb design from the Lawrence Livermore
National Laboratory in California.

Most recently, two incidents have occurred at Los Alamos in which
laboratory employees are believed to have provided classified
information to China. In one situation, a laboratory employee
admitted to providing China classified information on a technology
used to conduct nuclear weapons development and testing. In the
other situation, which occurred earlier this year, DOE disclosed
that it had evidence that indicated China obtained information on
this nation's most advanced nuclear warhead and had used that
information to develop its own smaller, more deliverable nuclear
weapons. A laboratory employee has been fired as a result of
recent investigations into how this information was obtained by
China; however, no charges have yet been filed.

GAO/T-RCED-99-159 Page 3

Problems Noted in Critical Security Areas

While the recent incidents at Los Alamos have been receiving
national attention, these are only the most recent examples of
problems with DOE's security systems. For nearly 20 years, we have
issued numerous reports on a wide range of DOE security programs
designed to protect nuclear weapons- related and other sensitive
information and material. These reports have included nearly 50
recommendations for improving programs for controlling foreign
visitor access, protecting classified and sensitive information,
maintaining physical security over facilities and property,
ensuring the trustworthiness of employees, and accounting for
nuclear materials. While DOE has often agreed to take corrective
actions, we have found that the implementation has often not been
successful and that problems recur over the years. I would like to
highlight some of the security problems identified in these
reports.

Inadequate Controls Over Foreign Visitors

Thousands of foreign nationals visit DOE facilities each year,
including the three laboratories Lawrence Livermore National
Laboratory in California and the Los Alamos National Laboratory
and the Sandia National Laboratories in New Mexico 1 that are
responsible for designing and maintaining the nation's nuclear
weapons. These visits occur to stimulate the exchange of ideas,
promote cooperation, and enhance research efforts in unclassified
areas and subjects. However, allowing foreign nationals into the
weapons laboratories is not without risk, as this allows foreign
nationals direct and possibly long- term access to employees with
knowledge of nuclear weapons and other sensitive information.
Consequently, DOE has had procedures to control these visits as
well as other lines of defense such as access controls and
counterintelligence programs to protect its information and
technology from loss to foreign visitors.

In 1988, we reported that significant weaknesses exist in DOE's
controls over foreign visitors to these laboratories. 2 First,
required background checks were performed for fewer than 10
percent of the visitors from sensitive countries prior to their
visit. 3 As a result, visitors with questionable backgrounds
including connections with foreign intelligence services obtained
access to the laboratories without DOE's

1 Sandia also has a facility adjacent to the Lawrence Livermore
facility in California. 2 Nuclear Nonproliferation: Major
Weaknesses in Foreign Visitor Controls at Weapons Laboratories
(GAO/RCED-89-31, Oct. 11, 1988). 3 DOE's definition of sensitive
countries has changed over time. Currently, DOE views certain
countries as sensitive because of concerns about national
security, nuclear nonproliferation, regional instability, or
support of terrorism.

GAO/T-RCED-99-159 Page 4

knowledge. Second, DOE and the laboratories were not always aware
of visits that involved topics, such as isotope separation and
inertial confinement fusion, that DOE considers sensitive because
they have the potential to enhance nuclear weapons capability,
lead to proliferation, or reveal other advanced technologies.
Third, internal controls over the foreign visitor program were
ineffective. Visits were occurring without authorized approvals,
security plans detailing how the visits would be controlled were
not prepared, and DOE was not notified of visits. Because DOE was
not notified of the visits, it was unaware of the extent of
foreign visitors to the laboratories.

At that time, DOE acknowledged problems with its controls over
foreign visitors and subsequently set out to resolve these
problems. Among other things, DOE revised its foreign visitor
controls, expanded background check requirements, established an
Office of Counterintelligence at DOE headquarters, and created an
integrated computer network for obtaining and disseminating data
on foreign visitors. However, at the same time the number of
foreign visitors continued to grow. Between the period of the
late- 1980s to the mid- 1990s, the annual number of foreign
visitors increased from about 3,800 to 6,400 per year nearly 70
percent and those from sensitive countries increased from about
500 to over 1,800 per year more than 250 percent.

We again examined the controls over foreign visitors and reported
in 1997 that most of the problems with these controls persist. 4
We found that revised procedures for obtaining background checks
had not been effectively implemented and that at two facilities,
background checks were being conducted on only 5 percent of
visitors from all sensitive countries and on less than 2 percent
of the visitors from China. We also found that visits were still
occurring that may involve sensitive topics without DOE's
knowledge. Moreover, other lines of defense were not working
effectively. Security controls over foreign visitors did not
preclude them from obtaining access to sensitive information. For
example, Los Alamos allowed unescorted after- hours access to
controlled areas to preserve what one official described as an
open campus atmosphere. Evaluations of the controls in areas most
frequented by foreign visitors had not been conducted.

Additionally, we found that the counterintelligence programs for
mitigating the threat posed by foreign visitors needed
improvements.

4 Department of Energy: DOE Needs to Improve Controls Over Foreign
Visitors to Weapons Laboratories (GAO/RCED-97-229, Sept. 25,
1997).

GAO/T-RCED-99-159 Page 5

These programs lacked comprehensive threat assessments, which are
needed to identify the threats against DOE and the facilities most
at risk, and lacked performance measures to gauge the
effectiveness of these programs in neutralizing or deterring
foreign espionage efforts. Without these tools, the
counterintelligence programs lacked key data on threats to the
facilities and on how well the facilities were protected against
these threats.

Information Security Information security involves protecting
classified and/ or sensitive information from inappropriate
disclosure. We have found problems with information security at
the nuclear weapons laboratories that could involve the loss of
classified information and/ or assist foreign nuclear weapons
capability. For example, in February 1991, we reported that the
Lawrence Livermore National Laboratory was unable to locate or
determine the disposition of over 12,000 secret documents. 5 These
documents covered a wide range of topics, including nuclear
weapons design. The laboratory conducted a search and located
about 2,000 of these documents but did not conduct an assessment
of the potential that the documents still missing compromised
national security. We also found that DOE had not provided
adequate oversight of the laboratory's classified document control
program. Although the laboratory's classified document controls
were evaluated annually, the evaluations were limited in scope and
failed to identify that documents were missing.

In 1987 and 1989, we reported that DOE had inadequate controls
over unclassified but sensitive information that could assist
foreign nuclear weapons programs. 6 Specifically, we found that
countries such as China, India, Iraq, and Pakistan that pose a
proliferation or security risk routinely obtain reprocessing and
nuclear weapon- related information from DOE. We also found that
DOE had transferred to other countries information appearing to
meet the definition of sensitive nuclear technology, which
requires export controls. Further, we found that DOE placed no
restrictions on foreign nationals' involvement in reprocessing
research at colleges and universities.

5 Nuclear Security: Accountability for Livermore's Secret
Classified Documents Is Inadequate (GAO/RCED-91-65, Feb. 8, 1991).
6 Nuclear Nonproliferation: Department of Energy Needs Tighter
Controls Over Reprocessing Information (GAO/RCED-87-150, Aug. 17,
1987) and Nuclear Nonproliferation: Better Controls Needed Over
Weapons- Related Information and Technology (GAO/RCED-89-116, June
19, 1989).

GAO/T-RCED-99-159 Page 6

In the 1990s, we continued to raise concerns. In 1991, we reported
that DOE and its weapons laboratories were not complying with
regulations designed to control the risk of weapons technology or
material being transferred to foreign countries having ownership,
control, or influence over U. S. companies performing classified
work for DOE. 7 We estimated that about 98 percent of the
classified contracts awarded at the weapons laboratories during a
30- month period that were subject to such regulations did not
fully comply with those regulations.

As recently as February of this year, we reported on information
security problems in DOE's Initiatives for Proliferation
Prevention with Russia. 8 Under these initiatives, DOE may have
provided defense- related information to Russian weapons
scientists an activity that could negatively affect U. S. national
security. We reviewed 79 projects funded by DOE under this program
and found nine to have dual- use implications that is, both
military and civilian applications such as improving aircraft
protective coating materials, enhancing communication capabilities
among Russia's closed nuclear cities, and improving metals that
could be used in military aircraft engines.

We note that the Department of Commerce has also recently raised
concerns about nuclear- related exports to Russia from at least
one DOE facility. Commerce notified Los Alamos in January 1999
that equipment the laboratory sent to nuclear facilities in Russia
required export licenses and that the laboratory may be facing
civil charges for not obtaining the required licenses.

Physical Security Physical security controls involve the
protection, primarily through security personnel and fences, of
facilities and property. In 1991, we reported that security
personnel were unable to demonstrate basic skills such as the
apprehension and arrest of individuals who could represent a
security threat. 9 Prior to that report, in 1990, we reported that
weaknesses were occurring with security personnel, as some
security personnel could not appropriately handcuff, search, or
arrest intruders or shoot

7 Nuclear Nonproliferation: DOE Needs Better Controls to Identify
Contractors Having Foreign Interests (GAO/RCED-91-83, Mar. 25,
1991). 8 Nuclear Nonproliferation: Concerns With DOE's Efforts to
Reduce the Risks Posed by Russia's Unemployed Weapons Scientists
(GAO/RCED-99-54, Feb. 19, 1999). 9 Nuclear Security: Safeguards
and Security Weaknesses at DOE's Weapons Facilities (GAO/RCED-92-
39, Dec. 13, 1991).

GAO/T-RCED-99-159 Page 7

accurately. 10 For example, we found that at the Los Alamos
National Laboratory, 78 percent of the security personnel failed a
test of required skills. Of the 54- member guard force, 42 failed
to demonstrate adequate skill in using weapons, using a baton, or
apprehending a person threatening the facility's security. Some
failed more than one skill test. We also found that many Los
Alamos' training records for security personnel were missing,
incomplete, undated, changed, or unsigned. Without accurate and
complete training records, DOE could not demonstrate that security
personnel are properly trained to protect the facility.

Problems we have identified were not only with keeping threats out
of the facilities, but also with keeping property in. For example,
we reported in 1990 that the Lawrence Livermore National
Laboratory could not locate about 16 percent of its inventory of
government equipment, including video and photographic equipment
as well as computers and computer- related equipment. 11 When we
returned in 1991 to revisit this problem, we found that only about
3 percent of the missing equipment had been found; moreover, the
laboratory's accountability controls over the equipment were
weaker than in the prior year. 12 We also found that DOE's
oversight of the situation was inadequate and that its property
control policies were incomplete. We found similar problems at
DOE's Rocky Flats Plant in 1994 where property worth millions of
dollars was missing, such as forklifts and a semi- trailer.
Eventually, property worth almost $21 million was written off. 13

Other problems in controlling sensitive equipment have been
identified, such as disposing of usable nuclear- related
equipment, that could pose a proliferation risk. For example, in
1993, DOE sold 57 different components of nuclear fuel
reprocessing equipment and associated design documents, including
blueprints, to an Idaho salvage dealer. DOE subsequently
determined that the equipment and documents could be useful to a
group or country with nuclear material to process, and that the
equipment could significantly shorten the time necessary to
develop and implement a nuclear materials reprocessing operation.
This incident resulted from a

10 Nuclear Safety: Potential Security Weaknesses at Los Alamos and
Other DOE Facilities (GAO/RCED-91-12, Oct. 11, 1990). 11 Nuclear
Security: DOE Oversight of Livermore's Property Management System
Is Inadequate (GAO/RCED-90-122, Apr. 18, 1990). 12 Nuclear
Security: Property Control Problems at DOE's Livermore Laboratory
Continue (GAO/RCED-91-141, May 16, 1991). 13 Department of Energy:
The Property Management System at the Rocky Flats Plant Is
Inadequate (GAO/RCED-94-77, Mar. 1, 1994).

GAO/T-RCED-99-159 Page 8

lack of vigilance at all levels for the potential impacts of
releasing sensitive equipment and information to the public, and
DOE conceded that system breakdowns of this type could have severe
consequences in other similar situations where the equipment and
documents may be extremely sensitive.

Personnel Security DOE's personnel security clearance program is
intended to provide assurance that personnel with access to
classified material and information are trustworthy. We have found
numerous problems in this area, dating back to the early 1980s. In
1987, and again in 1988, we found that DOE headquarters and some
field offices were taking too long to conduct security
investigations. 14 We found that the delays in investigations
lowered productivity, increased costs, and were a security
concern. We also found that DOE's security clearance database was
inaccurate. Clearance files at two field offices contained about
4,600 clearances that should have been terminated and over 600
employees at the Los Alamos laboratory had clearance badges, but
did not have active clearances listed in the files. In other
cases, the files contained inaccurate data, such as incorrect
clearance levels and names. We followed DOE's efforts to remedy
these problems, and by 1993, DOE had greatly reduced its backlog
of investigations. 15 However, some DOE contractors were not
verifying information on prospective employees such as education,
personal references, previous employment, and credit and law
enforcement records.

Accounting for Nuclear Material

Material accountability relates to the protection of special
nuclear material such as enriched uranium and plutonium. In 1991,
we found that DOE facilities were not properly measuring, storing,
and verifying quantities of nuclear materials. 16 Without proper
accounting for nuclear materials, missing quantities are more
difficult to detect. We also found that DOE facilities were not
complying with a rule requiring that two people always be present
when nuclear material is being accessed or used. This rule is

14 Nuclear Security: DOE's Reinvestigation of Employees Has Not
Been Timely (GAO/RCED-87-72, Mar. 10, 1987) and Nuclear Security:
DOE Needs a More Accurate and Efficient Security Clearance Program
(GAO/RCED-88-28, Dec. 29, 1987).

15 Nuclear Security: DOE's Progress on Reducing Its Security
Clearance Work Load (GAO/RCED-93-183, Aug. 12, 1993). 16 Nuclear
Security: Safeguards and Security Weaknesses at DOE's Weapons
Facilities (GAO/RCED-92-39, Dec. 13, 1991).

GAO/T-RCED-99-159 Page 9

designed to preclude a single individual from having access to and
diverting nuclear material without detection.

In 1994 and 1995, we reported on DOE's efforts to develop a
nuclear material tracking system for monitoring nuclear materials
exported to foreign countries. 17 A nuclear tracking system is
important to protect nuclear materials from loss, theft, or
diversion. In 1994, we reported that the existing system was not
able to track all exported nuclear materials and equipment;
moreover, DOE had not adequately planned the replacement system.
We recommended activities that we believed were necessary to
ensure that the new system would be successful. In 1995, we found
that DOE had not implemented our recommendations and had no plans
to do so. We also found that the system still had development
risks. DOE was not adequately addressing these risks and had no
plans to conduct acceptance testing, and as a result of these
problems, it had no assurance that the system would ever perform
as intended. Our concerns were justified, as 3 months after the
new tracking system began operating, the technical committee
overseeing this system concluded that it faced a high probability
of failure and that the system should not be used.

Key Factors Contributing to Security Problems

As you can see, Mr. Chairman, our work over the years has
identified a wide variety of specific security problems at DOE
facilities. While each individual security problem is a concern,
when looked at collectively over an extended period of time, a
more serious situation becomes apparent that stems from systemic
causes. In our view, there are two overall systemic causes of the
security problems. First, there has been a longstanding lack of
attention and/ or priority given to security matters by DOE
managers and its contractors. Second, and probably most
importantly, there is a serious lack of accountability among DOE
and its contractors for their actions. These two causes are
interrelated and not easily corrected.

Lack of Attention and Priority to Security

The lack of attention and priority given by DOE management and its
contractors to security matters can be seen in many areas. One
area is its long- term commitment to improving security. For
example, in response to our 1988 report on foreign visitors, DOE
required more background checks be obtained. However, 6 years
later, it granted Los Alamos and Sandia exemptions to this
requirement, and as a result, few background checks were conducted
at those facilities. Also in response to our 1988 report, DOE

17 Nuclear Nonproliferation: U. S. International Nuclear Materials
Tracking Capabilities Are Limited (GAO/ RCED/ AIMD- 95- 5, Dec.
27, 1994) and Department of Energy: Poor Management of Nuclear
Materials Tracking System Makes Success Unlikely (GAO/AIMD-95-165,
Aug. 3, 1995).

GAO/T-RCED-99-159 Page 10

brought in FBI personnel to assist its counterintelligence
programs. However, the FBI eventually withdrew its personnel in
the early 1990s because of resistance within DOE to implementing
the measures the FBI staff believed necessary to improve security.
We note with interest that in response to the current concerns
with foreign visitors and other espionage threats against DOE
facilities, the FBI is again being brought in to direct DOE's
counterintelligence program.

The lack of attention to security matters can be seen in other
ways as well. In 1996, when foreign visitors were coming in
increasing numbers to the laboratory, Los Alamos funded only 1.1
staff years for its counterintelligence program. Essentially, one
person had to monitor not only thousands of visitors to the
laboratory but also monitor over 1,000 visits made by laboratory
scientists overseas. This problem was not isolated to Los Alamos;
funding for counterintelligence activities at DOE facilities
during the mid- 1990s could only be considered minimal. Prior to
fiscal year 1997, DOE provided no direct funding for
counterintelligence programs at its facilities. Consequently, at
eight high- risk facilities, counterintelligence program funding
was obtained from overhead accounts and totaled only $1.4 million
and 15 staff. Resources were inadequate in other areas. In 1992,
we reported that safeguard and security plans and vulnerability
assessments for many of DOE's sensitive facilities were almost 2
years overdue because, among other reasons, DOE had not provided
sufficient staff to get the job done. These plans and assessments
are important in identifying threats to the facilities as well as
devising countermeasures to the threats. In our view, not
providing sufficient resources to these important activities
indicates that security is not a top priority. This problem is not
new. We reported in 1980 and again in 1982 that funding for
security has low priority and little visibility. 18

Earlier I mentioned missing classified documents at Lawrence
Livermore Laboratory. In response to that report, both DOE and
laboratory officials showed little concern for the seriousness of
the situation and told us that they believed the missing documents
were the result of administrative error, such as inaccurate record
keeping and not theft. Although DOE is required to conduct an
assessment of the missing documents' potential for compromising
national security, at the time of our report DOE did not plan to
do this for over 1 year after we reported the documents missing.

18 Nuclear Fuel Reprocessing and the Problems of Safeguarding
Against the Spread of Nuclear Weapons, (EMD- 80- 38, Mar. 18,
1980) and Safeguards and Security At DOE's Weapons Facilities Are
Still Not Adequate, (C- GAO/EMD-82-1, Aug. 20, 1982).

GAO/T-RCED-99-159 Page 11

Similarly, security problems identified by DOE's own internal
security oversight staff often go unresolved, even today. For
example, issues related to the inadequate separation of classified
and unclassified computer networks were identified at Los Alamos
in 1988, 1992, and 1994. This problem was only partially corrected
in 1997, as classified information was discovered on Los Alamos'
unclassified computer network in 1998. We found in 1991 that
deficiencies DOE identified as early as 1985 at six facilities had
not been corrected by 1990 because DOE did not have a systematic
method to track corrective actions taken on its own security
inspections.

The low priority given security matters is underscored by how DOE
manages its contractors. DOE's contract with the University of
California for managing its Los Alamos and Lawrence Livermore
national laboratories contain specific measures for evaluating the
university's performance. These measures are reviewed annually by
DOE and should reflect the most important activities of the
contractor. However, none of the 102 measures in the Los Alamos
contract or the 86 measures in the Lawrence Livermore contract
relate to counterintelligence. We reported in 1997 that DOE had
not developed measures for evaluating the laboratories'
counterintelligence activities, and DOE told us it was considering
amending its contracts to address this problem. Performance
measures for counterintelligence activities are still not in its
contracts for these two laboratories. The contracts do contain a
related measure, for safeguarding classified documents and
materials from unauthorized persons, but this measure represents
less than 1 percent of the contractor's total score. Safeguards
and security performance measures in general account for only
about 5 percent of the university's performance evaluations for
the two laboratories.

The low priority afforded security matters may account for the low
rating DOE has just given nuclear weapons facilities in its latest
Annual Report on Safeguards and Security. Two weapons laboratories
Los Alamos and Lawrence Livermore received a rating of marginal
for 1997 and 1998. In its annual evaluation of Los Alamos' overall
performance, however, DOE rated the laboratory as excellent in
safeguards and security, even though the laboratory reported 45
classified matter compromises and infractions for the year. The
previous 3- year rolling average was 20. DOE explained that the
overall excellent score was justified based on Los Alamos'
performance in many different aspects of safeguards and security.
For future contracts, a new DOE policy will enable the Department
to withhold a laboratory's full fee for catastrophic events, such
as a loss of

GAO/T-RCED-99-159 Page 12

control over classified material. We recommended as far back as
1990 that DOE should withhold a contractor's fee for failing to
fix security problems on a timely basis. Both laboratories have
been managed by the University of California since their inception
without recompeting these contracts, making them among the
longest- running contracts in the DOE complex.

Lack of Accountability In the final analysis, security problems
reflect a lack of accountability. The well- documented history of
security lapses in the nuclear weapons complex show that DOE is
not holding its contractors accountable for meeting all of its
important responsibilities. Furthermore, DOE leadership is not
holding its program managers accountable for making sure
contractors do their jobs.

Achieving accountability in DOE is made more difficult by its
complex organizational structure. Past advisory groups and
internal DOE studies have often reported on DOE's complex
organizational structure and the problems in accountability that
result from unclear chains of command among headquarters, field
offices, and contractors. For example

 The FBI, which examined DOE's counterintelligence activities in
1997, noted that there is a gap between authority and
responsibility, particularly when national interests compete with
specialized interests of the academic or corporate management that
operate the laboratories. Citing the laboratories' autonomy
granted by DOE, the FBI found that this autonomy has made national
guidance, oversight, and accountability of the laboratories'
counterintelligence programs arduous and inefficient.  A 1997
report by the Institute for Defense Analyses cited serious flaws
in

DOE's organizational structure. Noting long- standing concerns in
DOE about how best to define the relationships between field
offices and the headquarters program offices that sponsor work,
the Institute concluded that the overall picture that emerges is
one of considerable confusion over vertical relationships and the
roles of line and staff officials. As a consequence of DOE's
complex structure, the Institute reported that unclear chains of
command led to the weak integration of programs and functions
across the Department, and confusion over the difference between
line and staff roles. 19  A 1997 DOE internal report stated that
lack of clarity, inconsistency, and

variability in the relationship between headquarters management
and field organizations has been a longstanding criticism of DOE
operations . . . . This

19 The Organization and Management of the Nuclear Weapons Program,
Institute for Defense Analyses (March 1997).

GAO/T-RCED-99-159 Page 13

is particularly true in situations when several headquarters
programs fund activities at laboratories. . . . 20 DOE's
Laboratory Operations Board also reported in 1997 on DOE's
organizational problems, noting that there were inefficiencies due
to DOE's complicated management structure. The Board recommended
that DOE undertake a major effort to rationalize and simplify its
headquarters and field management structure to clarify roles and
responsibilities. 21

DOE's complex organization stems from the multiple levels of
reporting that exist between contractors, field offices, and
headquarters program offices. Further complicating reporting, DOE
assigns each laboratory to a field operations office, whose
director serves as the contract manager and also prepares the
contractor's annual appraisal. The operations office, however,
reports to a separate headquarters office under the Deputy
Secretary, not to the program office that supplies the funding.
Thus, while the Los Alamos National Laboratory is primarily funded
by Defense Programs, it reports to a field manager who reports to
another part of the agency.

We believe these organizational weaknesses are a major reason why
DOE has been unable to develop long- term solutions to the
recurring problems reported by advisory groups. Recent events at
the Brookhaven National Laboratory in New York, for example,
illustrate the consequences of organizational confusion. Former
Secretary Pena fired the contractor operating the laboratory when
he learned that the contractor breached the community's trust by
failing to ensure it could operate safely. DOE did not have a
clear chain of command over environment, safety, and health
matters and, as a result, laboratory performance suffered in the
absence of DOE accountability. To address problems in DOE's
oversight, the Secretary removed the Chicago Operations Office
from the chain of command over Brookhaven, by having the on- site
DOE staff report directly to the Secretary's office. We found,
however, that even though the on- site staff was technically
reporting directly to the Secretary's office, the Chicago
Operations Office was still managing the contractor on a day- to-
day basis, including retaining the responsibility for preparing
the laboratory's annual appraisal. Chicago officials told us that
there was considerable confusion regarding the roles of Chicago
and on- site DOE staff. As a result, DOE did not fundamentally
change how it manages the contractor through its field offices.

20 DOE Action Plan for Improved Management of Brookhaven National
Laboratory, DOE (July 1997). 21 Department of Energy: Uncertain
Progress in Implementing National Laboratory Reforms, (GAO/RCED-
98-197, Sept. 10, 1998).

GAO/T-RCED-99-159 Page 14

This concludes my testimony, and I will be happy to answer any
questions you may have.

GAO/T-RCED-99-159 Page 15

GAO/T-RCED-99-159 Page 16

GAO/T-RCED-99-159 Page 17

Appendix I GAO Related Products

Nuclear Fuel Reprocessing And The Problems Of Safeguarding Against
The Spread Of Nuclear Weapons (EMD- 80- 38, Mar. 18, 1980).

Safeguards and Security At DOE's Weapons Facilities Are Still Not
Adequate (C- GAO/EMD-82-1, Aug. 20, 1982).

Security Concerns at DOE's Rocky Flats Nuclear Weapons Production
Facility (GAO/RCED-85-83, Apr. 22, 1985).

Nuclear Nonproliferation: DOE Has Insufficient Control Over
Nuclear Technology Exports (GAO/RCED-86-144, May 1, 1986).

Nuclear Security: DOE's Reinvestigation of Employees Has Not Been
Timely (GAO/RCED-87-72, Mar. 10, 1987).

Nuclear Nonproliferation: Department of Energy Needs Tighter
Controls Over Reprocessing Information (GAO/RCED-87-150, Aug. 17,
1987).

Nuclear Security: DOE Needs a More Accurate and Efficient Security
Clearance Program (GAO/RCED-88-28, Dec. 29, 1987).

Nuclear Nonproliferation: Major Weaknesses in Foreign Visitor
Controls at Weapons Laboratories (GAO/RCED-89-31, Oct. 11, 1988).

Nuclear Security: DOE Actions to Improve the Personnel Clearance
Program (GAO/RCED-89-34, Nov. 9, 1988).

Nuclear Nonproliferation: Better Controls Needed Over Weapons-
Related Information and Technology (GAO/RCED-89-116, June 19,
1989).

Nuclear Security: DOE Oversight of Livermore's Property Management
System Is Inadequate (GAO/RCED-90-122, Apr. 18, 1990).

Nuclear Safety: Potential Security Weaknesses at Los Alamos and
Other DOE Facilities (GAO/RCED-91-12, Oct. 11, 1990).

Nuclear Security: Accountability for Livermore's Secret Classified
Documents Is Inadequate (GAO/RCED-91-65, Feb. 8, 1991).

Nuclear Nonproliferation: DOE Needs Better Controls to Identify
Contractors Having Foreign Interests (GAO/RCED-91-83, Mar. 25,
1991).

GAO/T-RCED-99-159 Page 18

Appendix I GAO Related Products

Nuclear Security: Property Control Problems at DOE's Livermore
Laboratory Continue (GAO/RCED-91-141, May 16, 1991).

Nuclear Security: DOE Original Classification Authority Has Been
Improperly Delegated (GAO/RCED-91-183, July 5, 1991).

Nuclear Security: Safeguards and Security Weaknesses at DOE's
Weapons Facilities (GAO/RCED-92-39, Dec. 13, 1991).

Nuclear Security: Weak Internal Controls Hamper Oversight of DOE's
Security Program (GAO/RCED-92-146, June 29, 1992).

Nuclear Security: Improving Correction of Security Deficiencies at
DOE's Weapons Facilities (GAO/RCED-93-10, Nov. 16, 1992).

Nuclear Security: Safeguards and Security Planning at DOE
Facilities Incomplete (GAO/RCED-93-14, Oct. 30, 1992).

Personnel Security: Efforts by DOD and DOE to Eliminate
Duplicative Background Investigations (GAO/RCED-93-23, May 10,
1993).

Nuclear Security: DOE's Progress on Reducing Its Security
Clearance Work Load (GAO/RCED-93-183, Aug. 12, 1993).

Nuclear Nonproliferation: U. S. International Nuclear Materials
Tracking Capabilities Are Limited (GAO/ RCED/ AIMD- 95- 5, Dec.
27, 1994).

Department of Energy: Poor Management of Nuclear Materials
Tracking System Makes Success Unlikely (GAO/AIMD-95-165, Aug. 3,
1995).

Nuclear Nonproliferation: Concerns With the U. S. International
Nuclear Materials Tracking System (GAO/ T- RCED/ AIMD- 96- 91,
Feb. 28, 1996).

DOE Security: Information on Foreign Visitors to the Weapons
Laboratories (GAO/T-RCED-96-260, Sept. 26, 1996).

Department of Energy: DOE Needs to Improve Controls Over Foreign
Visitors to Weapons Laboratories (GAO/RCED-97-229, Sept. 25,
1997).

Department of Energy: Information on the Distribution of Funds for
Counterintelligence Programs and the Resulting Expansion of These
Programs (GAO/RCED-97-128R, Apr. 25, 1997).

GAO/T-RCED-99-159 Page 19

Appendix I GAO Related Products

Department of Energy: Problems in DOE's Foreign Visitor Program
Persist (GAO/T-RCED-99-19, Oct. 6, 1998).

Department of Energy: DOE Needs To Improve Controls Over Foreign
Visitors To Its Weapons Laboratories (GAO/T-RCED-99-28, Oct. 14,
1998).

Nuclear Nonproliferation: Concerns With DOE's Efforts to Reduce
the Risks Posed by Russia's Unemployed Weapons Scientists
(GAO/RCED-99-54, Feb. 19, 1999).

(141318) GAO/T-RCED-99-159 Page 20

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary.
VISA and MasterCard credit cards are accepted, also. Orders for
100 or more copies to be mailed to a single address are discounted
25 percent.

Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e- mail message with "info" in the body to:

info@ www. gao. gov or visit GAO's World Wide Web Home Page at:
http:// www. gao. gov

PRINTED ON RECYCLED PAPER

United States General Accounting Office Washington, D. C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. G100

*** End of document. ***